The logistical challenges in shifting from largely office-based employment to mass home working were immense.
And the need for speed – to maintain operations, serve clients and customers and keep cash flowing – meant attention to data security was not always a major concern.
As David Goodbrand, a technology and commercial partner at law firm Burness Paull, says: “Some larger organisations were already well
set up for home working in terms of data infrastructure and data privacy considerations. But they were very much in the minority – and a lot of businesses are playing catch-up.”
Adarma, an independent security services company headquartered in Edinburgh, says the pandemic caused “unprecedented business disruption and change, resulting in increased security risks as businesses adjust to new ways of remote working”.
Rory Shannon, director of managed services for Adarma, says: “Remote working has its benefits. However, presented with an extended level of freedom and independence, as well as reduced influence of cultural norms and behaviours, staff may be more likely to stray from organisational processes and working practices.
“The traditional working environment encourages adherence of ‘cyber hygiene’ and organisational policy by default and it’s important organisations support their staff in maintaining security best practices.”
David Goodbrand highlights three specific security challenges arising from the shift to home working:
- Increasing use of personal devices
- An exponential rise in the use of third party apps and technology
- Remote working can amplifly known business risks.
In terms of personal devices, Goodbrand says: “Not all staff were issued with their own office laptop or mobile device. Out of necessity, many had to use their own devices to keep working.
“Personal devices do not necessarily have the same level of security measures baked in – such as end-to-end encryption, anti-virus software, firewalls and back-up tools.
“If personal devices are not properly managed or updated, there is a heightened risk of compromise by malware, putting personal and work-related information at risk.”
Shannon highlights a range of challenges created by the use of personal devices by employees for work purposes – including a lack of software updates, inconsistency with other work devices in terms of allowing or blocking traffic through firewalls, and the use of prohibited or insecure protocols on the network.
In terms of the rise in third party applications, Goodbrand says: “Apps and platforms have filled a void in the absence of normal work communication and networking and we have all relied on them for day-to-day working – often from a standing start.
“Many of them, especially video-conferencing apps, faced questions about security capability and functionality.
“For organisations dealing with critical and confidential data, it’s a big issue if apps and platforms are not as secure as they should be. You have to look at what’s out there and make the best choice for your organisation.”
Goodbrand says firms should carry out data protection impact assessments when they introduce new technology or apps.
“Firms had to act quickly and there is a lot of retrospective activity going on, but things are improving,” he says. “Providers are acutely aware of security issues and they will continue to improve their technology and security measures in order to minimise vulnerabilities and threats.”
The third risk is more prosaic.
“Working from home means we are surrounded by family or flatmates, and can be overheard by neighbours,” says Goodbrand. That introduces new risks – an “insider threat” – so avoid having sensitive conversations out loud, leaving confidential documents in open view or printing sensitive material at home.
He highlights the scale of the challenge with reference to Burness Paull: “We went from three main offices [Aberdeen, Edinburgh and Glasgow] to almost 600 home offices.
Not all businesses have got their
head around the complexity of the ongoing data protection challenge that they now face.”
Mandy Laurie, an employment partner at Burness Paull, thinks there could be a price to pay for a general lack of focus on data security issues arising from home working.
“People were so focused on getting up and running that many sent employees home with a laptop and didn’t think much about it. Then issues like furlough and restructuring took over and data security stayed well down the priority list – even for many larger firms,” she says.
“We’re now starting to see proper risk assessments, and employers really need to focus on training and policies and examine how home working will impact on employees.
“So far there have been very few cases arising from data breaches by employees. I think we’ll see things coming through, especially as many employees will continue working from home.”
Goodbrand says there is evidence that larger firms, even in key sectors like financial services, were not well-prepared for home working – and that a lack of bandwidth and infrastructure meant staff had to work at different times of day to cope with low capacity.
Adarma has recognised this issue too. Shannon says: “When virtual private networks (VPNs) are at capacity and disconnected temporarily as they struggle to cope with the sudden rise in demand, this could leave company assets vulnerable to staff looking for insecure workarounds.”
The lack of sharp focus on data security has also not been lost on the online criminal fraternity.
According to Adarma: “Threats are constantly changing and with clear intelligence on new Covid-19 related phishing and malware attacks, we see risks increasing
Goodbrand also notes that there has been a big increase in attempted cyber breaches.
He says: “There has been a rise in push-payment fraud [where fraudsters deceive individuals into sending them money, often by posing as a representative of a bank] and that seems to be increasing, although we haven’t seen definitive figures yet.”
This has led to a huge demand for support from cyber security businesses, but Goodbrand stresses that good practice needs to start at home, saying: “The big change needs to be in the culture of businesses – both selecting the right technology for your business and embedding good practice alongside that. Firms need to be proactive and not just reactive after a cyber breach.”